Skip to content

Commit

Permalink
Merge pull request #1194 from avast/LZ_PeInOverlayDetection
Browse files Browse the repository at this point in the history
Added detection of PE in overlay
  • Loading branch information
ladislav-zezula authored Mar 5, 2024
2 parents e119d3b + 071f184 commit 3fe61e8
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions support/yara_patterns/tools/pe/x86/packers.yara
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,21 @@ rule eziriz_dotnet_reactor_62_or_newer {
dotnet.user_strings[dotnet.number_of_user_strings - 2] == "{\x001\x001\x001\x001\x001\x00-\x002\x002\x002\x002\x002\x00-\x005\x000\x000\x000\x001\x00-\x000\x000\x000\x000\x001\x00}\x00"
}

rule pe_file_in_overlay
{
meta:
tool = "P"
name = "PE-in-Overlay"
version = "-"
extra = "Various binary tools"
condition:
pe.overlay.size != 0 and
pe.overlay.offset != 0 and
uint16(pe.overlay.offset) == 0x5A4D and
uint32(pe.overlay.offset + 0x3C) >= 4 and
uint32(pe.overlay.offset + uint32(pe.overlay.offset + 0x3C)) == 0x00004550
}

rule spirit_15_01 {
meta:
tool = "P"
Expand Down

0 comments on commit 3fe61e8

Please sign in to comment.